Solved Antivir solution and search redirects

Status
Not open for further replies.

Jeff2020

Posts: 11   +0
Hello,
Yesterday I got hit with Antivir Solution Pro. I could not open most web sites, warnings about viruses kept popping up. Went to safe mode and ran Malware bytes and it found 2 items.

Files Infected:
C:\Documents and Settings\Jeff Lyons\Local Settings\Temp\101.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jeff Lyons\Local Settings\Temp\4e647706.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

It did not fix the problem, I could not open task manager or get to system restore so I went back to safe mode and ran system restore. That got rid of the Antivir issues with the warnings and I can get to all web pages but now I get redirected when clicking on a link in any search engine. Below are the logs.


Thanks in advance for any and all help.
Jeff
 
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4344

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

7/24/2010 12:03:32 PM
mbam-log-2010-07-24 (12-03-32).txt

Scan type: Quick scan
Objects scanned: 165974
Time elapsed: 9 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


--------------------------------------------------------------------


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-24 13:41:40
Windows 5.1.2600 Service Pack 3
Running: kwfmqq6n.exe; Driver: C:\DOCUME~1\JEFFLY~1\LOCALS~1\Temp\kfayqaod.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF75D787E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF75D7BFE]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\wuauclt.exe[284] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007C000A
.text C:\WINDOWS\system32\wuauclt.exe[284] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007D000A
.text C:\WINDOWS\system32\wuauclt.exe[284] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003E000C
.text C:\WINDOWS\System32\svchost.exe[1060] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007B000A
.text C:\WINDOWS\System32\svchost.exe[1060] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007C000A
.text C:\WINDOWS\System32\svchost.exe[1060] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007A000C
.text C:\WINDOWS\System32\svchost.exe[1060] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 00D4000A
.text C:\WINDOWS\Explorer.EXE[2152] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A2000A
.text C:\WINDOWS\Explorer.EXE[2152] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A8000A
.text C:\WINDOWS\Explorer.EXE[2152] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A1000C
.text C:\WINDOWS\system32\wuauclt.exe[3620] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\wuauclt.exe[3620] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A5000A
.text C:\WINDOWS\system32\wuauclt.exe[3620] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003E000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp Lbd.sys (Boot Driver/Lavasoft AB)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp Lbd.sys (Boot Driver/Lavasoft AB)

---- EOF - GMER 1.0.15 ----
 
DDS (Ver_10-03-17.01) - NTFSx86
Run by Jeff Lyons at 13:42:21.20 on Sat 07/24/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.574 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jeff Lyons\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-23 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-6-20 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-6-20 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-6-20 243024]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2010-6-20 14464]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-7-15 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2010-6-20 88192]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1181328]

=============== Created Last 30 ================

2010-07-24 04:02:08 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2010-07-24 03:52:46 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-24 03:27:58 0 dc-h--w- c:\docume~1\alluse~1.win\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-24 02:29:17 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SecTaskMan
2010-07-24 01:20:14 0 d-----w- c:\docume~1\jeffly~1\applic~1\Malwarebytes
2010-07-24 01:20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 01:19:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-24 01:19:58 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-07-24 01:15:07 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-15 22:55:08 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-05 10:13:16 18236 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-01 17:21:27 248832 ----a-w- c:\windows\system32\VCLX50.BPL
2010-07-01 17:21:27 2023424 ----a-w- c:\windows\system32\VCL50.BPL
2010-07-01 17:21:27 147456 ----a-w- c:\windows\system32\BCBSMP50.BPL
2010-07-01 17:21:18 299520 ----a-w- c:\windows\uninst.exe
2010-07-01 17:21:16 0 d-----w- c:\documents and settings\jeff lyons\WINDOWS
2010-06-29 14:47:44 0 d-----w- C:\Gemstall
2010-06-28 13:13:16 0 d-----w- C:\SHOPAK V5.00.09 Suite Production CD

==================== Find3M ====================

2010-07-24 15:54:09 14336 ----a-w- c:\windows\system32\svchost.exe
2010-07-15 22:55:09 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 22:54:27 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-20 21:01:28 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-20 15:25:40 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 13:42:59.65 ===============



------------------------------------------------------------------------------------


DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 6/20/2010 10:35:03 AM
System Uptime: 7/24/2010 12:30:53 PM (1 hours ago)

Motherboard: Dell Inc. | |
Processor: Intel(R) Pentium(R) M processor 1.73GHz | Microprocessor | 1728/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 37 GiB total, 16.585 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Dell TrueMobile 1300 WLAN Mini-PCI Card
Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_50101468&REV_02\4&2FA23535&0&18F0
Manufacturer: Broadcom
Name: Dell TrueMobile 1300 WLAN Mini-PCI Card
PNP Device ID: PCI\VEN_14E4&DEV_4318&SUBSYS_50101468&REV_02\4&2FA23535&0&18F0
Service: BCM43XX

==== System Restore Points ===================

RP1: 6/20/2010 10:38:57 AM - System Checkpoint
RP2: 6/20/2010 11:59:56 AM - Installed C-Major Audio
RP3: 6/20/2010 12:00:37 PM - Installed TIPCI
RP4: 6/20/2010 12:03:24 PM - Installed Broadcom Gigabit Integrated Controller
RP5: 6/20/2010 12:08:26 PM - Installed MSXML 4.0 SP2 Parser and SDK
RP6: 6/20/2010 12:09:05 PM - Installed Gemcom32
RP7: 6/20/2010 12:10:11 PM - Installed Java(TM) 6 Update 18
RP8: 6/20/2010 12:12:04 PM - Removed Gemcom32
RP9: 6/20/2010 12:12:26 PM - Installed Gemcom32
RP10: 6/20/2010 2:12:34 PM - Software Distribution Service 3.0
RP11: 6/20/2010 2:36:15 PM - Installed AVG Free 9.0
RP12: 6/20/2010 3:17:08 PM - Installed Java(TM) 6 Update 16
RP13: 6/20/2010 3:18:47 PM - Installed OpenOffice.org 3.1
RP14: 6/20/2010 3:36:32 PM - Removed OpenOffice.org 3.1
RP15: 6/20/2010 4:00:19 PM - Removed Java(TM) 6 Update 18
RP16: 6/20/2010 4:01:19 PM - Installed Java(TM) 6 Update 20
RP17: 6/20/2010 4:02:31 PM - Installed OpenOffice.org 3.2
RP18: 6/20/2010 5:15:42 PM - Software Distribution Service 3.0
RP19: 6/20/2010 10:27:16 PM - Installed Sapphire Management Suite 1.09.06 6162009
RP20: 6/21/2010 6:54:15 PM - Avg8 Update
RP21: 6/21/2010 7:00:37 PM - Avg Update
RP22: 6/22/2010 6:06:44 AM - Software Distribution Service 3.0
RP23: 6/22/2010 5:48:55 PM - Avg Update
RP24: 6/23/2010 8:11:43 PM - System Checkpoint
RP25: 6/24/2010 5:07:07 PM - Avg Update
RP26: 6/24/2010 8:54:53 PM - Installed Adobe Reader 9.3.
RP27: 6/25/2010 8:56:12 PM - System Checkpoint
RP28: 6/26/2010 9:56:12 PM - System Checkpoint
RP29: 6/27/2010 10:11:01 PM - System Checkpoint
RP30: 6/28/2010 11:16:57 PM - System Checkpoint
RP31: 6/29/2010 11:50:09 PM - System Checkpoint
RP32: 7/1/2010 12:50:09 AM - System Checkpoint
RP33: 7/2/2010 12:59:53 AM - System Checkpoint
RP34: 7/3/2010 1:37:43 AM - System Checkpoint
RP35: 7/4/2010 3:37:44 AM - System Checkpoint
RP36: 7/5/2010 4:37:43 AM - System Checkpoint
RP37: 7/6/2010 4:58:11 AM - System Checkpoint
RP38: 7/6/2010 7:18:53 PM - Installed QuickTime
RP39: 7/7/2010 9:35:03 PM - System Checkpoint
RP40: 7/8/2010 11:41:33 PM - System Checkpoint
RP41: 7/10/2010 12:23:40 AM - System Checkpoint
RP42: 7/11/2010 12:39:32 AM - System Checkpoint
RP43: 7/12/2010 1:39:32 AM - System Checkpoint
RP44: 7/13/2010 3:36:30 AM - System Checkpoint
RP45: 7/14/2010 6:57:55 PM - System Checkpoint
RP46: 7/15/2010 11:42:51 AM - Software Distribution Service 3.0
RP47: 7/15/2010 5:52:54 PM - Avg Update
RP48: 7/15/2010 5:55:23 PM - Avg Update
RP49: 7/16/2010 11:21:05 PM - System Checkpoint
RP50: 7/17/2010 11:39:40 PM - System Checkpoint
RP51: 7/18/2010 11:56:56 PM - System Checkpoint
RP52: 7/20/2010 12:01:18 AM - System Checkpoint
RP53: 7/20/2010 4:18:18 PM - Avg Update
RP54: 7/21/2010 6:30:55 AM - Software Distribution Service 3.0
RP55: 7/22/2010 3:14:06 PM - System Checkpoint
RP56: 7/23/2010 8:14:40 PM - Restore Operation
RP57: 7/24/2010 11:00:20 AM - Restore Operation
RP58: 7/24/2010 11:03:13 AM - Restore Operation

==== Installed Programs ======================

Ad-Aware
Adobe Acrobat 5.0
Adobe Flash Player 10 Plugin
Adobe Reader 9.3.3
ALPS Touch Pad Driver
Apple Application Support
Apple Software Update
AVG Free 9.0
Broadcom Gigabit Integrated Controller
C-Major Audio
CCleaner
Conexant D110 MDC V.92 Modem
Dell Wireless WLAN Card
Gemcom32
Gemstall
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB981793)
I8kfanGUI V3.1
ieSpell
Intel(R) Graphics Media Accelerator Driver for Mobile
Java Auto Updater
Java(TM) 6 Update 16
Java(TM) 6 Update 20
Malwarebytes' Anti-Malware
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.6.8)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
OpenOffice.org 3.2
QuickTime
Sapphire Management Suite 1.09.06 6162009
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB982381)
ServTerm
Spybot - Search & Destroy
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)

==== Event Viewer Messages From Past Week ========

7/24/2010 11:42:16 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
7/24/2010 11:42:16 AM, error: Service Control Manager [7034] - The AVG Free E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).
7/24/2010 11:42:16 AM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
7/24/2010 11:42:16 AM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
7/24/2010 11:42:10 AM, error: Service Control Manager [7034] - The Dell Wireless WLAN Tray Service service terminated unexpectedly. It has done this 1 time(s).
7/23/2010 8:59:19 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
7/23/2010 8:59:11 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
7/23/2010 8:16:40 PM, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
7/23/2010 8:14:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/23/2010 8:13:37 PM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
7/23/2010 8:13:37 PM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
7/23/2010 11:19:08 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
7/21/2010 8:10:17 AM, error: Dhcp [1002] - The IP address lease 192.168.0.101 for the Network Card with network address 0014A416AC13 has been denied by the DHCP server 192.168.50.1 (The DHCP Server sent a DHCPNACK message).
7/21/2010 1:34:49 PM, error: Dhcp [1002] - The IP address lease 192.168.50.129 for the Network Card with network address 0014A416AC13 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================
 
I had posted more logs but it didnt post so I am attaching the logs.
 

Attachments

  • DDS.txt
    7.5 KB · Views: 0
  • gmer.log
    3.2 KB · Views: 1
  • mbam-log-2010-07-24 (12-03-32).txt
    893 bytes · Views: 0
  • Attach.txt
    10.7 KB · Views: 0
Note: If you have a previous version of TDSSKiller downloaded please delete it now and download a fresh copy using the links provided below

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
When it is done, a log file should be created on your C: drive called TDSSKiller.txt please copy and paste the contents of that file here.
 
hummm, on my desktop I see tdsskiller zip folder, I unzipped it and I see on my desktop eula.txt and tdsskiller. I copied the the text making sure I had the quotes and pasted it in run. It ask me if I want to run tdsskiller, I selected yes and it comes up with

error
valid command line paramaters
-l <file name> (path to log file)
-qpath <folder name> (path to quarantine folder)
-qall (copy all objects to quarantine)
-qsus (copy all suspicious objects to quarantine)
qmbr (copy all mbr to quarantine)


I ran it three times and got the same error each time but I did find this log in my C: drive

2010/07/24 15:56:19.0921 TDSS rootkit removing tool 2.4.0.0 Jul 22 2010 16:09:49
2010/07/24 15:56:19.0921 ================================================================================
2010/07/24 15:56:19.0921 SystemInfo:
2010/07/24 15:56:19.0921
2010/07/24 15:56:19.0921 OS Version: 5.1.2600 ServicePack: 3.0
2010/07/24 15:56:19.0921 Product type: Workstation
2010/07/24 15:56:19.0921 ComputerName: UNITED-A4E2111A
2010/07/24 15:56:19.0921 UserName: Jeff Lyons
2010/07/24 15:56:19.0921 Windows directory: C:\WINDOWS
2010/07/24 15:56:19.0921 System windows directory: C:\WINDOWS
2010/07/24 15:56:19.0921 Processor architecture: Intel x86
2010/07/24 15:56:19.0921 Number of processors: 1
2010/07/24 15:56:19.0921 Page size: 0x1000
2010/07/24 15:56:19.0921 Boot type: Normal boot
2010/07/24 15:56:19.0921 ================================================================================
2010/07/24 15:56:20.0593 Initialize success
2010/07/24 15:56:23.0343 Deinitialize success
 
Hmmm....

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
ComboFix 10-07-24.01 - Jeff Lyons 07/24/2010 16:54:09.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.607 [GMT -5:00]
Running from: c:\documents and settings\Jeff Lyons\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
ADS - WINDOWS: deleted 128 bytes in 1 streams.
ADS - svchost.exe: deleted 88 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\images

Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-06-24 to 2010-07-24 )))))))))))))))))))))))))))))))
.

2010-07-24 04:02 . 2010-07-24 04:24 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2010-07-24 03:52 . 2010-07-24 03:50 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-07-24 03:28 . 2010-07-24 03:28 -------- d-----w- c:\documents and settings\Jeff Lyons\Local Settings\Application Data\Sunbelt Software
2010-07-24 03:27 . 2010-07-24 03:28 -------- dc-h--w- c:\documents and settings\All Users.WINDOWS\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-24 03:27 . 2010-07-12 08:56 2979280 -c--a-w- c:\documents and settings\All Users.WINDOWS\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}\Ad-AwareInstall.exe
2010-07-24 03:27 . 2010-07-24 03:52 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Lavasoft
2010-07-24 02:31 . 2010-07-24 02:31 -------- d-----w- c:\documents and settings\Jeff Lyons\Local Settings\Application Data\Help
2010-07-24 01:20 . 2010-07-24 01:20 -------- d-----w- c:\documents and settings\Jeff Lyons\Application Data\Malwarebytes
2010-07-24 01:20 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-24 01:19 . 2010-07-24 01:19 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-07-24 01:19 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-24 01:15 . 2010-07-24 01:15 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-15 22:55 . 2010-07-15 22:55 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 14:10 . 2010-07-15 14:10 -------- d-----w- c:\documents and settings\Jeff Lyons\Application Data\Apple Computer
2010-07-15 13:19 . 2010-07-15 13:19 17712 ----a-w- c:\documents and settings\Jeff Lyons\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-07-07 00:19 . 2010-07-07 00:19 -------- d-----w- c:\program files\QuickTime
2010-07-07 00:18 . 2010-07-07 00:18 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple Computer
2010-07-07 00:18 . 2010-07-07 00:18 -------- d-----w- c:\program files\Common Files\Apple
2010-07-07 00:18 . 2010-07-07 00:18 -------- d-----w- c:\documents and settings\Jeff Lyons\Local Settings\Application Data\Apple
2010-07-07 00:18 . 2010-07-07 00:18 -------- d-----w- c:\program files\Apple Software Update
2010-07-07 00:18 . 2010-07-07 00:18 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Apple
2010-07-07 00:17 . 2010-07-07 00:17 -------- d-----w- c:\documents and settings\Jeff Lyons\Local Settings\Application Data\Apple Computer
2010-07-05 10:13 . 2010-07-05 10:13 18236 ---ha-w- c:\windows\system32\mlfcache.dat
2010-07-01 17:21 . 1999-03-23 14:12 299520 ----a-w- c:\windows\uninst.exe
2010-07-01 17:21 . 2010-07-01 17:21 -------- d-----w- c:\documents and settings\Jeff Lyons\WINDOWS
2010-06-29 14:47 . 2010-07-21 17:06 -------- d-----w- C:\Gemstall
2010-06-28 13:13 . 2010-06-28 13:13 -------- d-----w- C:\SHOPAK V5.00.09 Suite Production CD
2010-06-25 02:07 . 2009-11-25 18:01 1230080 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\AVG Security Toolbar\IEToolbar.dll
2010-06-25 01:56 . 2010-07-03 20:03 -------- d-----w- c:\documents and settings\Jeff Lyons\Local Settings\Application Data\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-24 21:31 . 2010-06-20 17:52 -------- d-----w- c:\documents and settings\Jeff Lyons\Application Data\mIRC
2010-07-24 16:33 . 2010-05-29 23:16 0 ----a-w- c:\documents and settings\Jeff\Local Settings\Application Data\prvlcl.dat
2010-07-24 15:54 . 2008-08-21 12:00 14336 ----a-w- c:\windows\system32\svchost.exe
2010-07-24 04:05 . 2009-10-03 13:13 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-07-24 02:42 . 2010-07-24 02:29 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\SecTaskMan
2010-07-24 01:34 . 2009-10-03 13:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-24 01:07 . 2010-06-20 19:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\AVG Security Toolbar
2010-07-18 03:25 . 2010-06-20 21:09 1 ----a-w- c:\documents and settings\Jeff Lyons\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-07-15 22:55 . 2010-06-20 19:37 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 22:54 . 2010-06-20 19:37 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-22 00:00 . 2010-06-20 19:37 29584 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-06-21 03:27 . 2010-06-21 03:27 40960 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\ARPPRODUCTICON.exe
2010-06-21 03:27 . 2010-06-21 03:27 193110 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\NewShortcut11_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
2010-06-21 03:27 . 2010-06-21 03:27 193110 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\NewShortcut1_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
2010-06-21 03:27 . 2010-06-21 03:27 157302 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\SASTM.exe2_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
2010-06-21 03:27 . 2010-06-21 03:27 157302 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\SASTM.exe_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
2010-06-21 03:27 . 2010-06-21 03:27 157302 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\NewShortcut31_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
2010-06-21 03:27 . 2010-06-21 03:27 157302 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\NewShortcut3_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
2010-06-20 21:09 . 2010-06-20 21:09 -------- d-----w- c:\documents and settings\Jeff Lyons\Application Data\OpenOffice.org
2010-06-20 21:03 . 2010-05-23 20:26 -------- d-----w- c:\program files\JRE
2010-06-20 21:03 . 2009-12-06 02:29 -------- d-----w- c:\program files\OpenOffice.org 3
2010-06-20 21:01 . 2010-06-20 21:01 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-20 19:36 . 2010-06-20 19:36 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\avg9
2010-06-20 17:52 . 2009-08-31 23:41 -------- d-----w- c:\program files\mIRC
2010-06-20 17:21 . 2010-06-20 17:21 0 ----a-w- c:\windows\nsreg.dat
2010-06-20 17:19 . 2009-10-14 20:43 -------- d-----w- c:\program files\ieSpell
2010-06-20 17:12 . 2010-06-20 17:12 8854 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\Uninstall_Gemcom32_85545F6251FA449E95B54442DE267E7D.exe
2010-06-20 17:12 . 2010-06-20 17:12 40960 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\rubylink.exe_19A09CFB000C4A769EAB009413464CCF.exe
2010-06-20 17:12 . 2010-06-20 17:12 40960 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\NewShortcut2_A7D3544621974F95824035A15208D8AE.exe
2010-06-20 17:12 . 2010-06-20 17:12 40960 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\NewShortcut1_19A09CFB000C4A769EAB009413464CCF.exe
2010-06-20 17:12 . 2010-06-20 17:12 10134 ----a-r- c:\documents and settings\Jeff Lyons\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\ARPPRODUCTICON.exe
2010-06-20 17:11 . 2010-06-20 17:11 503808 ----a-w- c:\documents and settings\Jeff Lyons\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46e00657-n\msvcp71.dll
2010-06-20 17:11 . 2010-06-20 17:11 499712 ----a-w- c:\documents and settings\Jeff Lyons\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46e00657-n\jmc.dll
2010-06-20 17:11 . 2010-06-20 17:11 348160 ----a-w- c:\documents and settings\Jeff Lyons\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-46e00657-n\msvcr71.dll
2010-06-20 17:11 . 2010-06-20 17:11 61440 ----a-w- c:\documents and settings\Jeff Lyons\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c25c497-n\decora-sse.dll
2010-06-20 17:11 . 2010-06-20 17:11 12800 ----a-w- c:\documents and settings\Jeff Lyons\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-7c25c497-n\decora-d3d.dll
2010-06-20 17:09 . 2010-06-20 17:09 79488 ----a-w- c:\documents and settings\Jeff Lyons\Application Data\Sun\Java\jre1.6.0_18\gtapi.dll
2010-06-20 17:09 . 2010-06-20 17:09 152576 ----a-w- c:\documents and settings\Jeff Lyons\Application Data\Sun\Java\jre1.6.0_18\lzma.dll
2010-06-20 17:04 . 2009-01-16 18:35 -------- d-----w- c:\program files\Apoint
2010-06-20 17:03 . 2010-06-20 17:03 -------- d-----w- c:\program files\Broadcom
2010-06-20 16:35 . 2009-10-29 17:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-20 16:34 . 2010-06-20 16:34 -------- d-----w- c:\documents and settings\Jeff Lyons\Application Data\InterTrust
2010-06-20 16:20 . 2010-06-20 15:28 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-06-20 15:25 . 2010-06-20 15:25 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-06-20 03:53 . 2009-12-06 02:38 1 ----a-w- c:\documents and settings\Jeff\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-06-19 21:18 . 2009-08-31 23:41 -------- d-----w- c:\documents and settings\Jeff\Application Data\mIRC
2010-06-16 17:57 . 2010-06-16 17:57 193110 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\NewShortcut11_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
2010-06-16 17:57 . 2010-06-16 17:57 193110 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\NewShortcut1_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
2010-06-16 17:57 . 2010-06-16 17:57 157302 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\SASTM.exe_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
2010-06-16 17:57 . 2010-06-16 17:57 157302 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\NewShortcut31_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
2010-06-16 17:57 . 2010-06-16 17:57 157302 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\NewShortcut3_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
2010-06-16 17:57 . 2010-06-16 17:57 40960 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\ARPPRODUCTICON.exe
2010-06-16 17:57 . 2010-06-16 17:57 157302 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}\SASTM.exe2_9E5F62A684E04D3BB7C2928F8BCDBF7E.exe
2010-06-14 14:31 . 2010-06-20 15:26 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-25 15:09 . 2009-10-14 18:42 23824 ----a-w- c:\documents and settings\Jeff\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-11 15:13 . 2010-05-11 15:13 45056 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{A26428D4-F486-4CA3-83E8-456B8104090B}\NewShortcut1_A26428D4F4864CA383E8456B8104090B.exe
2010-05-11 15:13 . 2010-05-11 15:13 45056 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{A26428D4-F486-4CA3-83E8-456B8104090B}\VFIRtRCnfg.exe_C6BE42A2F5E140CF9AF72D1C5FC7BA62.exe
2010-05-11 15:13 . 2010-05-11 15:13 10134 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{A26428D4-F486-4CA3-83E8-456B8104090B}\ARPPRODUCTICON.exe
2010-05-08 16:03 . 2010-05-08 16:03 8854 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\Uninstall_Gemcom32_85545F6251FA449E95B54442DE267E7D.exe
2010-05-08 16:03 . 2010-05-08 16:03 40960 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\rubylink.exe_19A09CFB000C4A769EAB009413464CCF.exe
2010-05-08 16:03 . 2010-05-08 16:03 40960 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\NewShortcut2_A7D3544621974F95824035A15208D8AE.exe
2010-05-08 16:03 . 2010-05-08 16:03 40960 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\NewShortcut1_19A09CFB000C4A769EAB009413464CCF.exe
2010-05-08 16:03 . 2010-05-08 16:03 10134 ----a-r- c:\documents and settings\Jeff\Application Data\Microsoft\Installer\{85545F62-51FA-449E-95B5-4442DE267E7D}\ARPPRODUCTICON.exe
2010-05-08 16:00 . 2010-05-08 16:00 79488 ----a-w- c:\documents and settings\Jeff\Application Data\Sun\Java\jre1.6.0_18\gtapi.dll
2010-05-08 16:00 . 2010-05-08 16:00 152576 ----a-w- c:\documents and settings\Jeff\Application Data\Sun\Java\jre1.6.0_18\lzma.dll
2010-05-02 05:22 . 2008-08-21 12:00 1851264 ----a-w- c:\windows\system32\win32k.sys
.
 
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 15:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-17 1392640]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-16 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-16 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-16 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-07-15 2065760]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]

c:\documents and settings\Jeff\Start Menu\Programs\Startup\
Secunia PSI.lnk - c:\program files\Secunia\PSI\psi.exe [2009-8-21 900816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 22:55 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Documents and Settings\\All Users.WINDOWS\\Start Menu\\Programs\\mirc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [7/23/2010 10:52 PM 64288]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [6/20/2010 2:37 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [6/20/2010 2:37 PM 243024]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [6/20/2010 2:46 PM 14464]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [7/15/2010 5:54 PM 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 5:55 PM 308136]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/12/2010 3:55 AM 1181328]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [6/20/2010 12:00 PM 88192]
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 03:48]

2010-07-24 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 03:48]

2010-07-24 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 03:48]

2010-07-24 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 03:48]

2010-07-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-07-12 03:48]

2010-07-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-24 17:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-07-24 17:03:43
ComboFix-quarantined-files.txt 2010-07-24 22:03

Pre-Run: 17,711,280,128 bytes free
Post-Run: 17,689,083,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 9D4BD18BEDFCEF504F95E07915D1EA2E
 
Looks good :)

How are the issues?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
 
Everything is working good now

OTL Extras logfile created on: 7/24/2010 6:06:35 PM - Run 1
OTL by OldTimer - Version 3.2.9.1 Folder = C:\Documents and Settings\Jeff Lyons\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,015.00 Mb Total Physical Memory | 531.00 Mb Available Physical Memory | 52.00% Memory free
2.00 Gb Paging File | 2.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 18.65 Gb Free Space | 50.06% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: UNITED-A4E2111A
Current User Name: Jeff Lyons
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:mad:xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:mad:xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:mad:xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:mad:xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:mad:xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\mIRC\mirc.exe" = C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
"C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\mirc.exe" = C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\mirc.exe:*:Enabled:mIRC -- (mIRC Co. Ltd.)
"C:\Program Files\AVG\AVG9\avgemc.exe" = C:\Program Files\AVG\AVG9\avgemc.exe:*:Enabled:avgemc.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgupd.exe" = C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe -- (AVG Technologies CZ, s.r.o.)
"C:\Program Files\AVG\AVG9\avgnsx.exe" = C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe -- (AVG Technologies CZ, s.r.o.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0E0479F8-180F-4054-B4F7-17EE657F90BF}" = TIPCI
"{26A24AE4-039D-4CA4-87B4-2F83216016F0}" = Java(TM) 6 Update 16
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5A13987D-55F4-4271-A40E-76AC9B1B38FD}" = OpenOffice.org 3.2
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7B477A4E-DAB4-4C0C-B0D3-B29B6D163783}" = Sapphire Management Suite 1.09.06 6162009
"{7E369B27-13E2-41A5-9879-358EE1C8B5AD}" = Broadcom Gigabit Integrated Controller
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{85545F62-51FA-449E-95B5-4442DE267E7D}" = Gemcom32
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver for Mobile
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.3
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}" = Ad-Aware
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"Ad-Aware" = Ad-Aware
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"AVG9Uninstall" = AVG Free 9.0
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CCleaner" = CCleaner
"CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1" = Conexant D110 MDC V.92 Modem
"Gemstall" = Gemstall
"I8kfanGUI" = I8kfanGUI V3.1
"ieSpell" = ieSpell
"InstallShield_{0E0479F8-180F-4054-B4F7-17EE657F90BF}" = Texas Instruments PCIxx21/x515/xx12 drivers.
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.8)" = Mozilla Firefox (3.6.8)
"ServTerm" = ServTerm

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 6/20/2010 4:33:59 PM | Computer Name = UNITED-A4E2111A | Source = Application Error | ID = 1000
Description = Faulting application unopkg.bin, version 0.0.0.0, faulting module
sal3.dll, version 3.0.500.0, fault address 0x000095e3.

Error - 6/20/2010 4:34:02 PM | Computer Name = UNITED-A4E2111A | Source = Application Error | ID = 1000
Description = Faulting application unopkg.bin, version 0.0.0.0, faulting module
sal3.dll, version 3.0.500.0, fault address 0x000095e3.

Error - 6/20/2010 4:34:04 PM | Computer Name = UNITED-A4E2111A | Source = Application Error | ID = 1000
Description = Faulting application unopkg.bin, version 0.0.0.0, faulting module
sal3.dll, version 3.0.500.0, fault address 0x000095e3.

Error - 7/3/2010 4:26:11 PM | Computer Name = UNITED-A4E2111A | Source = Application Hang | ID = 1002
Description = Hanging application mirc.exe, version 6.35.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/3/2010 4:26:11 PM | Computer Name = UNITED-A4E2111A | Source = Application Hang | ID = 1002
Description = Hanging application mirc.exe, version 6.35.0.0, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 7/3/2010 4:28:58 PM | Computer Name = UNITED-A4E2111A | Source = Application Hang | ID = 1002
Description = Hanging application soffice.bin, version 3.2.9498.500, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/3/2010 4:31:29 PM | Computer Name = UNITED-A4E2111A | Source = Application Error | ID = 1000
Description = Faulting application plugin-container.exe, version 1.9.2.3828, faulting
module ntdll.dll, version 5.1.2600.5755, fault address 0x0000100b.

Error - 7/23/2010 9:03:37 PM | Computer Name = UNITED-A4E2111A | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: The connection with the server was terminated abnormally

Error - 7/23/2010 9:03:39 PM | Computer Name = UNITED-A4E2111A | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

Error - 7/23/2010 9:03:41 PM | Computer Name = UNITED-A4E2111A | Source = crypt32 | ID = 131080
Description = Failed auto update retrieval of third-party root list sequence number
from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
with error: This network connection does not exist.

[ System Events ]
Error - 7/23/2010 9:35:45 PM | Computer Name = UNITED-A4E2111A | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error: %%2

Error - 7/23/2010 9:42:29 PM | Computer Name = UNITED-A4E2111A | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error: %%2

Error - 7/23/2010 9:42:50 PM | Computer Name = UNITED-A4E2111A | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error: %%2

Error - 7/23/2010 9:46:38 PM | Computer Name = UNITED-A4E2111A | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error: %%2

Error - 7/23/2010 9:52:07 PM | Computer Name = UNITED-A4E2111A | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error: %%2

Error - 7/23/2010 9:59:06 PM | Computer Name = UNITED-A4E2111A | Source = Service Control Manager | ID = 7023
Description = The Windows Firewall/Internet Connection Sharing (ICS) service terminated
with the following error: %%2

Error - 7/23/2010 9:59:11 PM | Computer Name = UNITED-A4E2111A | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
PCIIde

Error - 7/23/2010 9:59:19 PM | Computer Name = UNITED-A4E2111A | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring
the volume.

Error - 7/23/2010 9:59:19 PM | Computer Name = UNITED-A4E2111A | Source = Ftdisk | ID = 262189
Description = The system could not sucessfully load the crash dump driver.

Error - 7/23/2010 9:59:19 PM | Computer Name = UNITED-A4E2111A | Source = Ftdisk | ID = 262193
Description = Configuring the Page file for crash dump failed. Make sure there is
a page file on the boot partition and that is large enough to contain all physical
memory.


< End of report >
 
Everything seems to be going good. Have had a problem posting a reply. The logs are too big to paste so attaching them.
 

Attachments

  • OTL.Txt
    130.6 KB · Views: 1
  • Extras.Txt
    27.4 KB · Views: 0
Good news then :)

Update your Java version here: http://www.java.com/en/download/installed.jsp
During installation, make sure to UN-check any pre-checked extra "garbage" installation, like Yahoo toolbar, or others (if offered).
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

======================================================================

OTL log looks very clean.

Last scan....

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.


2. Go to Kaspersky website and perform an online antivirus scan.

1. Disable your active antivirus program.
2. Read through the requirements and privacy statement and click on Accept button.
3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
4. When the downloads have finished, click on Settings.
5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

  • Spyware, Adware, Dialers, and other potentially dangerous programs
    [*] Archives
    [*] Mail databases
6. Click on My Computer under Scan.
7. Once the scan is complete, it will display the results. Click on View Scan Report.
8. You will see a list of infected items there. Click on Save Report As....
9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
 
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Sunday, July 25, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Sunday, July 25, 2010 02:16:33
Records in database: 4219737
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 64100
Threats found: 1
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 03:12:51


File name / Threat / Threats count
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Documents and Settings\Jeff\My Documents\mirc635.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Documents and Settings\Jeff Lyons\Desktop\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1

Selected area has been scanned.
 
Wonderful :)

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=====================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run defrag at your convenience.

8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

9. Please, let me know, how is your computer doing.
 
Sorry it took so long to get back, storms have had me busy at work this week.
computer is working great. I want to thank you for all the work you do. When I get the time I need to take a look at our desktop that the son and wife both use, both download stuff all the time. When I get the time I will post a new thread if there are any issues.

Thanks again
Jeff
 
Way to go!!
p4193510.gif

Good luck and stay safe :)
 
Status
Not open for further replies.
Back